In message <e754e90906130925m6d9f723eh71090a331a427...@mail.gmail.com>, R Dicai re writes: > Hi folks, > Can both nsec and nsec3 records be used simultaneously in a zone file, > or is it an either/or?
NSEC and NSEC3 chains are expected to exist in a zone during a incremental transition between the two ways of negatively signing a zone. If there is a complete NSEC3 chain (indicated by a NSEC3PARAM record at the zone apex) servers are supposed to return NSEC3 proofs. NSEC3 is more expensive that NSEC is and really should not be used unless you need the features NSEC3 provide. There are additional cost on both the authoritative servers and on the validating servers when you use NSEC3. TLD's can make use of OPTOUT which is why you see ORG and GOV using NSEC3. End user zones generally can't make use of OPTOUT. Unless you really need to hide the presence of names in a zone then you shouldn't use NSEC3. Note: NSEC3 is a waste of time for IN-ADDR.ARPA, IP6.ARPA and RBL type zones which use IP addresses as they are highly structured and you can enumnerate the contents without walking the NSEC chain. Mark > Thanks > -- > aRDy Music and Rick Dicaire present: > http://www.ardynet.com > http://www.ardynet.com:9000/ardymusic.ogg.m3u > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users